Information and support for Windows, DotNetNuke, Microsoft Servers, Microsoft CRM and general technical tips.

DotNetNuke DNN Spam Registrations Problem Fixed

DotNetNuke DNN Sites getting spam registrations – How to stop them

In recent weeks, many of our DNN websites have systematically been targeted for Spam New User Registrations. There has been some discussion around the how and why, and as much as we can tell, the problem is this:

1. Some script kiddy has bothered to write a bot that finds DNN websites. It is not even a good bot, because it is not capable of validating registrations to automated active email addresses. (If you are the creator of the bot… “YOU ARE DOING IT WRONG” as it is not going to bring the Google results you are looking for.)

2. The bot will attempt access to: www.yoursite.com /?ctl=Register

3. This brings into play the default DNN registration process module.

4. This page is currently available if your site has either Public or Verified registrations enabled.

5. Tricks on derating the bot by raising the password complexity appeared to work a short time only.

6. Enabling the inbuilt Captcha is as good as useless, as almost any OCR application can break it.

7. A better simple solution is needed.

ReCaptcha is the FIX that is working well

Here at InteractiveWebs, we decided that we would enable Recapcha (a cleaver Google Initiative https://www.google.com/recaptcha/ ) that is harder to be machine broken, and test the results. We found that all the spam registrations stopped once Recaptcha was used.

To do this we created two Free DNN Modules to add Recaptcha to the URL that this bot is using to register on sites. The two modules are to support DNN 6.2 + and 7x +.

Once installed, you need to add the module to a page as you would any other. We recommend adding it to it’s own page in the DNN Admin menu, and keeping the page Admin Only.

Step 5 – Configure the iWebs Register Module.

The module you are looking for is called: iWeb’s – Register – You can select the Settings from the module drop down as you would any other DNN module.

Enter the Public Key and Private Keu information that you received from your Google Recaptcha registration of your domain. THEN SELECT UPDATE to save the information.

Step 6 – Install the Register Control

After saving your public and private keys by clicking “update” you are ready to:

Click on the “Install Register Control”

This will inject the recaptcha setting into your website. So when you hit any registration URL (www.yoursite.com /?ctl=Register) you now get the recaptcah box.

Update to V2 of Recaptcha

Google has released what they call V2 of Recaptcha. We have update the module to support this. The process of updating to V2 goes like this.

1. By default, previously created recaptcha keys are V1. Any updated installs of our module will need to be put into V1 mode (in the settings) to keep working with your V1 keys that you have previously configured into the module. So after updating our module to the latest release, go into the module settings and enable V1 mode for the module to keep working.

2. V2 recaptcha is better than V1. So we would suggest that all users of the module update to V2. To do this, you update our module to the latest release, then go into the Google Recaptcha management page, and delete your domains security keys, then generate new keys for V2. They have instructions on that process, all be is hard to understand.

Once you have new V2 recaptcha keys, you update these new keys back into our module and ensure that the V1 mode is NOT enabled. The V2 recaptcha will then run on your site.

To Remove and Uninstall

2. Uninstall the iwebs – Register module as you would any other DNN module.

Thoughts

This was a quick solution to some script kiddies attempt to attack DNN. I’m actually struggling to find the purpose (if you wrote the bot and you are reading this, I would love to hear why). There is little threat by the registrations that I can find. More annoying that anything else. While Recaptcah can be broken, it would take some smarts or costs to use online services for the bot, so I suspect they will not bother and recaptcha will reign for this problem. In any case, if they spend some time and effort making the bot work for recaptcah, it is easy enough for us to implement some of the loads of other solutions available to stop them.

Donations

We included a donation button. If you find the solution, blog, research we did, modules we created and responses we provide to be helpful. Please consider throwing us a few $

Author: InteractiveWebs

This blog is the combined blog work of the InteractiveWebs Dev Team. Together we work on a range of DotNetNuke (DNN) applications, modules, Silverlight, and Microsoft CRM Portal integration products.
Our Business is website design and hosting, with a strong focus on DotNetNuke, Microsoft Dynamics CRM, Silverlight and iPhone iPad development.
View all posts by InteractiveWebs

Dustin… that is strange as it has stopped ours. Double check that your registration url that we mention in the article has the recaptcha enabled. This will check that you have installed it correctly. Also double check that any additional domains on the portal are registered for rechaptch with Google. This will make sure that the recaptcha is displayed on all domains that register. Lastly, turn on Authentication for registration in DNN. This will let you see the email addresses that are not authenticated and are actually spam.

Do you know if implementing this will impact on automated registrations implemented in eCommerce solutions – I am specifically interested in what would happen with Catalook? The spam registrations are a particular pain on eCommerce sites as they need public registration to allow immediate checkout.

While we have not tested it, I suspect it would be just fine. We are only adding to that DNN standard module, so any time it is called, it would run normally and hand back over to the store. That being said, it would not run automatically in the store inbuilt login, but that should not be targeted by bots anyway.

Have register with reCaptcha, turned on dnn captcha for registration, installed the module, placed in the keys, registered the control, and the captch looks the same with no change. Have cleared the cache, still no change. Went back and re-verified all the of the above. No idea what is wrong.

Most likely a key or domain registration error. Remember that you need the exact domain name. (Now you have probably thought about that, so go to our site and lodge a support ticket and we can take a look for you).

Hi Guys,
I regret to report that the site that had been heavily targeted, and which initially stopped getting spam registrations when I implemented this module, is now starting to see new spam registrations. Not nearly as many as previously, but I have definite evidence of three in the last two days. I fear that a new version of the bot with capability to crack reCaptcha may be under development. Would you be interested in seeing the logs from the site under attack if so please contact me by mail and I’ll get them to you.
Regards,
Graham

Very odd, the spam registrations only came through for a day or two and then stopped again. Not sure what was going on there, perhaps someone checking manually what had failed with the bot? Will continue to monitor.

We found that once they found you. They will be back. We noticed it was sporadic over a fews days. 1-2 days of hits, then nothing for a bit. (Script kiddy got kicked of the computer by mum till he cleaned his room, or something.)

“I’m actually struggling to find the purpose (if you wrote the bot and you are reading this, I would love to hear why). There is little threat by the registrations that I can find. More annoying that anything else.”

Well, I think you answered yourself. What they want is to annoy, so they succeeded 🙂

I guess.. there is not a lot of people with anti social behaviour that are content with just being “just” annoying. By virtue of the fact that the registrations usually include back link references, I suspect that the bot was written to perform as an SEO bot, for a specific site or series of sites that exposed user URL references. Thus gaining the back link value that was once realised in the past. Funny ting here is that the creators are smart enough to write the bot, but dumb enough to know it has little value to anyone. Sure it could be to just be annoying, but then filling in a URL reference would be a waste of time. I think it was for something more than that.

Thanks – I was able to install on our QA machine without trouble. I would be happy to make Paypal donation if you exposed the “theme” setting (bonus points for drop list!). Why it is embedded in the DLL but custom themes are not is a mystery to me.

Your module has worked great on one site but I just found out that when I try to use it on another portal (same DNN instance) it is already populated with the first domains set of keys. Is there anyway to implement this on multiple portals using different domains at the same time?

I too am facing the same issue as Josiah and am also at a loss to understand how to have the same key for multiple domains which would then allow this to work across multiple portals and domains within a single DNN instance. Any ideas and solutions would be greatly appreciated.

Whether you enter one at a time or multiple domains, it generates a unique key for each domain name. Perhaps it used to allow multiple domains per key pair in the past but right now it does not. I have found references to a “global key” for reCaptcha which would allow for multiple domains per key but it seems that they no longer have that option. If anyone knows of a different page than the one above where a global key can be generated, please let me know.

Was this module suppoed to replace every captcha on every page that has the registration module or only on urls which have ?ctl=register on them? my custom registration page hasn’t chaged, though if I invoke the register control, it works.

I installed your package via your process and although I am no longer getting 200 a day i am still getting 10-20. I submitted a ticket for assistance (#2232) and I have not gotten a response since 8-1-2014

HI guys,
Well sorry to say I am still getting spam registrations on the one particular site I have been struggling to protect. Looking at the logs it’s definitely bots using the ?ctl=register attack vector. A lot don’t work but some still get through – one or two a day is standard now. One reason I feel is that the reCaptcha image appearing on the registration page now is absurdly (to my mind) easy to crack – I don’t get anything that looks like the distorted text and two words approach in your image above I just get some slightly fuzzy picture with a two, three or (if I’m lucky ) four digit number there. Why is this – is there some sort of setting I am missing that actually makes reCaptcha hard rather than so easy?
Regards,
Graham

After I’ve enabled this on DNN 7.3.2, this has broken my login functionality on the site. I was able to create one new account and it did prompt with re-captcha. However, after the registration was completed, I simply got a generic error on the page that said ‘A Critical Error has occurred’ please check the Event Viewer for details. However, when I try to login to the site again using any account (even SU Account), it will no longer allow me to login.

Luckily I did this in a test site first, but please advise what may have caused this or how I can get around it.

We were able to register multiple domains in Google settings to allow the one key to work on multiple sites. I have seen comments that others could not do this in google, but I can’t replicate that, as listing multiple domains under one key was an easy option for us on the google account settings. Can you confirm this?

I have just noticed that even though verified registration is selected no verification email is sent. What is sent is an email “We are pleased to advise that you have been added as a Registered User to …” “If you do not know, or cannot remember, your password, please go to …” instead of “You can use the following link to complete your verified registration:” which the standard DNN module (on the same page to test) sends

We have updated the module to support Captcha V2. Once again it has defeated the updated bot from what we can see. To update to V2 you need to login again to Google Recaptcah site and revoke your original keys, then issue new keys and upped the module to support V2. Note that the module will now default to V2 mode, and can be put back into V1 mode if needed int he settings (although why you would do this I don’t know). The module will error out with original keys until you update your keys to V2 or change the default mode to match your keys.

We just upgraded a DNN 6.2.7 site from v1 to v2 and now the security code will not display. Switching the module settings API version to v1 causes it to show again. Switching it back to v2 causes the security code to disappear. Can you please help us with this? Are we missing something? Do we need to generate a new API key for v2?

Sorry for the delay, but as you know this is a free product and we don’t rush to support it. That being said.

The latest releases will default to V2 of Recaptcha. You either need to flip to V1 in the settings of the module to support V1, or go back into the recaptcha site settings, delete your V1 keys and generate new V2 keys. Then update our module with those keys to get it working in V2 module.

When I installed the module, I’m getting a message only on the page that the module is installed on:
A critical error has occurred. Method not found: ‘Boolean DotNetNuke.Entities.Host.Host.get_EnableStrengthMeter()’.

Yeha. From memory we are not supporting 7.0. If you need professional help updating your DNN site, we can be engaged for this through our website: http://www.interactivewebs.com support tab not the left of every page. Reference this block chat if you need help.

Hello, We have our websites running on the latest version of DNN 7.3.4 and we installed IWeb version – iWebsRegister 72.7.7.0 PA. On enabling the recaptcha we noticed that on “Default Core DNN Register” module State/Region drop down does not list as a drop down and instead as a text box. So created a custom page and installed IwebRegister module on it and made that page as the register page and it worked i.e. the State/Region dropdown worked as expected “On Load”. But if we enter a wrong captcha then after the page refresh, instead of maintaining the state as a dropdown, it converted into a text box with the correspding id value of the state previously chosen. i.e. if New Jersey = 293, then this is populated in the text box after the page refresh. Is this a known bug?

Also downloaded the latest version iWebsRegister 72.7.10.0 PA and installed on top of the existing Iweb register and now the recaptcha does not show at all? I updated the site key and private key again and chose v1 version and updated the module.. But still the issue exists? Any thoughts on these issues? Thanks!!

Hi, we have recently installed your Re-CAPTCHA module onto one of our 6.02.09 DNN sites. All has seemed to be working as expected with a decrease in spam accounts signing up. However we have noticed a problem when a user tires to edit their own profile. If a user wants to update their profile/password themselves they will log in, click their username to the left of the “logout” button and then click “edit profile”. This will usually take you to the profile module where the user can update their profile/password. However with the Re-CAPCTHA module installed clicking “Edit profile” takes the user to a registration page while they are still logged in. The form is pre-populated with their details with a register button at the bottom which says the username is already taken if they click it. Is there a fix for this as with the module installed users currently have no-way of updating their profile/password and it’s causing some confusion passing them to a register page. Look forward to your reply, many thanks! Scott

Thank you for your enquiry Scott. We have opened a support ticket on your behalf with the data provided in this post. In the future if you have troubles with any of our modules please log a support ticket from our website.

Have been using the reCaptcha module for a while and I have to say it has been effective. However, we have also noticed the above issue and can confirm that it is a problem. Have you addressed this since it was flagged almost a year ago?
Tried to see if you have a new version and download but then when I click on your download link it gives a 404 on a dropbox page. Please look into all these issues. Feels like the project is abandoned. Using iWebsRegister 62.6.10.0 PA

Thank you very much. Just tried the new version iWebsRegister 62.6.11.0 PA and I can report that it still has the above issue. When logged in if a user clicks on “Edit Profile” it goes back to registration page rather than the edit profile page. Would appreciate if you fix this.

it may be that your keys are set up for recapture version 1.0 and the module defaults to version 2.0. There is a setting within the module that allows you to select 1.0, or alternatively go into the Google recapture website and delete the existing version 1.0 keys and creates a new version 2.0 keys and insert those into the module settings.

I can confirm that I’m having the same issue as Camy. I had previously setup request filtering and a specific registration page and had the default captcha turned on. I turned off request filtering and tried multiple other fixes, but wasn’t able to get it to work. Using DNN 733 and your version 72.7.10. Google keys are definitely v2, however I tried both version settings in your module. The only values I entered into the module settings were the keys and they were correctly entered. The core captcha is still being displayed in the standard DNN register control, which is still on a specific page (as opposed to using ?ctrl=register), and if you access the page with your module you get the error specified above. Since Camy didn’t post it, the inner stack trace of the error is:

The site does have Catalook and several other large modules installed. Could it be that there is a name conflict in the client script manager? Would love for this to work… any suggestions would be greatly appreciated.

Other modules will not be the likely cause. Could be a skin issue perhaps, or similar. Please submit a support ticket from our site so we can take a look at what is going on. Be sure to reference your comments here.

First time it solved my problem. Unfortunately today after seeing the old module threw an error, I downloaded the new module and installed it but this time it made my DNN installation crash 🙁
CPU stuck at 100% and csc.exe keeps on compiling forever.

Not sure why this happened but I restored my DB and now everything is back to normal. By the way, the version I had was already compatible with recaptcha V2. The problem was I found these errors on my websites using recaptcha
An internal error occurred: 4A6376441D250.ADE1949.3546A435
I thought it had to do with the version of the Recaptcha but it didn’t.

Reverted to 62.6.6 and it works fine now
I think I will not upgrade to 62.6.10 🙂

Hi I don’t know if you can help, but here’s my problem.
I have a dnn Site that is getting hundreds of failed spam registrations a day.
I have set Admin/ User Registration to “None”
I have removed the smtp settings from the Host SMTP Server and port:
I have completely removed the Admin account
None of this has helped, in fact it has doubled the volume of spam.

Install our spam registration module form our site. This is the one mentioned in our post. The reason is that it will update some files that are still in DNN after changing registrations to non. Better that you set the site up with Recaptcha V2 and be done with the spam bots.

I have a site on DNN 07.01.00. I installed the 72 module and followed the instructions including clicking the “Install Register Control” button. On the page with the iWebs Register Module I see the reCaptcha V2 but the existing registration page still have the DNN captcha. Am I misunderstanding something or shouldn’t the existing DNN captcha be replaced in the existing registration module or do I need to actually use the iWebs Registration module instead of the DNN registration module?

I installed iWebs Register on a DNN 6.4.x install. I have a custom web registration page and when clicking register from my login page it now tries to redirect to /register.aspx and this does not exist. Any ideas and suggestion for fix? Even when changing the registration page to so that it goes to the default it still redirects and the page cannot be found.

We think this is either some redirection rules, or a much older version of the module installed first. Best you contact us using the Support tab and lodge a support ticket. Be sure to reference this comment.

I also have this same problem and I did contact support but they couldn’t figure it out. The redirect is still there even after “restoring the control” and uninstalling the module it still redirects to register.aspx

I am also on 6.4 and was using the current version of the module.

Could you let us know what is modified in DNN by the module so I can try to find where and why this redirect is happening?

I have a module that’s basically a custom form that has been developed by someone else and they neglected to add a Captcha widget.

As a result I can’t just add your widget above the submit button within the DNN admin console as a module. Do you think I can possibly just add it manually into the legacy custom module like a tag and then package it together..?

Hello,
I installed your iWebs register recaptcha module and it did indeed solve the problem BUT, it can only work on one of the portals of my installation.
I have more than one portal on a single installation and if things work smoothly on one the other portals using captcha throw an error whenever a user tries to register (Error: invalid domain for site key).
Is there a way to solve this problem?

Sorry, my mistake. I posted the comment above but I was wrong.
I seem to be able to use the module on more than one portal in my installation but the error above – Invalid domain for site key – seems to come up pretty often on my websites preventing users from registering correctly.

How often does Google change the recaptcha codes??
I tried flagging the Send alerts to owners control box but nothing gets notified and I only find out things are not working anymore when some user complains he is incapable of completing the registration process.

Is there a predictable scheme in the change of keys or it could happen any time without warning?
If I know I have to change the keys, let’s say, each month I can set up a reminder and watch out for it on the websites but If I don’t have any predictable interval then it’s a little harder.

Very nice and useful module guys. Thank you very much.
Unfortunately, there is one little problem. When we have main portal and child portals on different domain this solution will not work as child portals will have different domain than main portal and will have to have different keys added for this module. Unfortunately, this module can be used only when DNN installation has only one domain name.

We were using this module successfully for a long time on a ‘cannot upgrade OR shut it off’ DNN 6.02.09 site. As of February this year it appears to have stopped working and the amount of registration spam coming through has been increasing lately.

Is there a way to fix or upgrade or do something to mitigate the registration spam again? Please email me directly if you need more details or what to take a look at the site. Thank you – Jeremy

In between, I used this iWebsRegister 80.0.1.0 PA.zip on a DNN evoq 08.00.00 website. Not sure if it is working. However I tried to change the theme to red and other available themes. But it is still clean. So why is that? Can I expect this as working?
Please can you advise?

I have attempted to install and use the iWebs Registration Recaptcha module as instructed. I established an account with Google and copied the secure keys provided. I am running DNN 8.0.4. With each test I receive the error “Incorrect Security Code” which appears at the top of the module but not in the Event Log. I attempted another test using the test keys provided by Google (copy paste) and received the same results. At this point I am at a loss, as the module is not useful in this environment. Can you provide any insight regarding the error message?

Attempting to use the module in DNN 8.0.4 with V2 has turned into a dead end. That same error message “Incorrect Security Code” continues to appear and the registration fails. When I went to my Google Recaptcha site, Google displayed a message indicating that the client site was using V1. Strange, because Google has no way to establish V1 keys and the module was set to V2. Even though I set up the keys as V2, the module did work successfully when I switched to V1 in the module. Switching back to v2 in the module resulted in the same error. At this juncture I am not able to use V2 and Google has posted a deadline of 3/31/2018 to terminate support for V1. Also, on V1 the Google widget refers to a site which apparently does not exist. So far what appeared to be a promising journey has become a nightmare. Also sent in a support request to iWeb – waiting for response.

OK, did manage to get the module working in test mode on my desktop. Major step forward. Appears that all items must be preset prior to loading and installing the module. Once the dnn elements were set I then loaded and installed the module as the very last step. Next step is to uninstall and reload module on the production system.